WS-2019-0172 (Medium) detected in swagger-ui-2.1.4.tgz

[mend-bolt-for-github]

WS-2019-0172 - Medium Severity Vulnerability

Vulnerable Library - swagger-ui-2.1.4.tgz

Swagger UI is a dependency-free collection of HTML, JavaScript, and CSS assets that dynamically generate beautiful documentation from a Swagger-compliant API

Library home page: https://registry.npmjs.org/swagger-ui/-/swagger-ui-2.1.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/node-red-node-swagger/node_modules/swagger-ui/package.json

Dependency Hierarchy:

• node-red-node-swagger-0.1.9.tgz (Root Library)
  • ❌ swagger-ui-2.1.4.tgz (Vulnerable Library)

Found in HEAD commit: a828769834f37b291096091f7d78329324424ce2

Vulnerability Details

swagger-ui before 3.20.9 fails to sanitize URLs used in the OAuth auth flow, which may allow attackers to execute arbitrary JavaScript. that leads to Cross-Site Scripting

Publish Date: 2019-02-23

URL: WS-2019-0172

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/976

Release Date: 2019-02-23

Fix Resolution: 3.20.9

---

Step up your Open Source Security Game with WhiteSource here